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a low(zero) cost threat intelligence&response tool against phishing domains 
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Who am | 


- Security Analyst @HackerOne 
- utkusen.com 

- github.com/utkusen 

- twitter.com/utkusen 


1,865. ^^ 
1,95% 4 


9,07% 


Banks Payment systems Global internet portals e Social networks Online stores 


@ Government and taxes Telecommunication companies @ Online games © IMS Finances Other 


KASPERSKY 


SHOW MORE + 


Legitimate Admin <spoofed@gmail.com> 


Activation of your account o o o O o o 


Hi! This is totally legitimate email and you have nothing to worry about! Now, 
please click link below and type in your password! 


“ym — 57 Gifts 


paypall-christmasgifts.com 


p PavPal 


Attack Timeline 


e 10:00 - Attacker promotes phishing tweet 
e 10:15 - 300 people has seen the tweet 

*. 10:20 - 5 people entered their credentials 
*. 10:25 - accounts compromised 


e 10:30 - Tweet is taken down due to the abuse reports 


Solution? 


e Abuse complaint to the domain&host provider >< 
e Abuse complaint to the Twitter X 
e Abuse complaint to the Google X 


e Be more proactive V. 


Being Proactive 


e Detect possible phishing domains before the campaign V. 


e Do DDOS X (If you have a huge budget) V 


e Confuse the attacker V 


* Observe the honey token flow X 


What “jeopardize” does? 


Early Detection 


* Detects typosquatting, homograph etc. domains (fcaebook.com) 


e Analyzes: web server, name servers, HTML forms, Alexa ranking, page size, 
registration date etc. 


e Provides a “Risk Score” 


FACEBOOKADS.com 


FCAEBOOK.com 


NS: Godaddy 
Web Server: 


Login Form: 
Registration: Old 


Risk Score: 50 


Confusing the Attacker & Buying Time 


A | ilidili e aooo Vy IU 
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Attacker Ses | 
Utku Kralbesiktas LEGIT 
http://acmebnak.com 
INNO: | | FAKE&HONEY 
password: David Kingwestham 
Serdar Tissss FAKE&HONEY 
Sends Fake & Honey Creds 
John Lol123 FAKE&HONEY 


From The Attacker's Perspective 


e Possibility 1) Most of the credentials are not working 
e Possibility 2) All credentials are working but most of them are empty 


e Losing time 


From The Defender’s Perspective 


* Observing the usage ratio of honey tokens. 
e Tracking the attacker's IP easily 
e Detecting affected users 


* More time to take precautions 


How “jeopardize” works 


Generating Domain Combinations 


amcebank 


acmebnak 


Acmeban 


M 
AW 


acmabank 


Detecting Registered Domains 


e Brute: Combine the generated words (acmebnak, amcebank etc.) with all 
TLDs (com,net,xyz,live etc.) 


e : Free 
e Cons: Slow 


* Daily: Search the generated words (acmebnak, amcebank etc.) in daily 
registered domains 


e : Fast 


e Cons: Requires zonefiles.io API key 


Analvzing the Domains 


e |P 
e Web Server 
e Name Servers 


* Page Size 


If login form exists 


e SSL Certificate 


Registration Date 


*. Alexa Ranking 


Jeopardizing the Login Forms 


* Feed the jeopardize with honey tokens 


* Jeopardize sends them to the target domains 


Saving the Results 


<domain> 
<address>acmebnak. com</address> 
<name servers>nsl.cloudflare.com ns2.cloudflare.com</name_servers> 
<mx servers> </mx servers> 
«date flag>True</date flag» 


<alexa_flag>False</alexa_f lag> 

«webserver flag>True</webserver flag» 

«certificate flag>False</certificate flag» 

«form flag>True</form flag» 

«phishing score>85</phishing score» 
</domain> 


Usage 


python3 jeopardize.pv --domain facebook.com --type brute 


pythons jeopardize.pv --domain facebook.com --type incremental 


pythons jeopardize.pv --domain facebook.com --type daily -U user.txt -P pass.txt 


Wu WE jeopardize — -zsh — 135x427 
utku@Utkus-MacBook-Pro jeopardize % | | 


https://github.com/utkusen/jeopardize 


